hashwatch verify CLI#
Verify files against HashWatch’s known-good corpus from a terminal or a pipeline.
hashwatch verify <file>... # hash local file(s) and verify
hashwatch verify --url <url> # stream-download, hash, and verify
hashwatch verify --sha256 <hex> # verify a precomputed digest
cat file | hashwatch verify - # hash stdinFlags: --api-key (or $HASHWATCH_API_KEY) widens the check from the public feed to the full
known-good corpus · --json · --quiet · --allow-unknown.
Exit codes (so CI fails on an unverified artifact):
| Code | Meaning |
|---|---|
0 | every input is known-good |
1 | at least one input is unknown |
2 | usage or runtime error |
GitHub Actions#
- uses: <your-org>/hashwatch-verify@v1
with:
files: "dist/*.exe dist/*.msi"
api-key: ${{ secrets.HASHWATCH_API_KEY }} # optionalGitLab CI#
verify-artifacts:
image: hashwatch-cli:latest
script:
- hashwatch verify dist/*.exe dist/*.msi
# set HASHWATCH_API_KEY as a masked CI/CD variable (optional)Without a key the CLI uses the keyless public feed (today’s verified set); with a key it queries the full corpus (NSRL + every tracked vendor release).